Solved

Admin Rights in GPO to Run a .BAT File

Posted on 2013-01-16
6
847 Views
Last Modified: 2013-01-16
Hello,

I am trying to run a simple .BAT file that will get rid of previous versions of Java and I want to use Group Policy to distribute it.  I have it setup as a startup script in the Group Policy Manager and it works great ... as long as the user logs in with the local or domain Admin account :S

I thought using the startup script in GPM automatically used system admin rights.  Did I miss a step there?

I've tried to find a few simple solutions across the web, but they all seem to involve putting the admin account info in the BAT file ... something I do NOT want to do.

BTW, I am far from a programmer (my BAT file simply has one command in it).  So bear with me.  Also running a Windows 2008 R2 environment and the client machines are Win7.

Any help would be appreciated.
0
Comment
Question by:qec-dpenney
  • 3
  • 2
6 Comments
 
LVL 83

Expert Comment

by:oBdA
ID: 38782813
You're not using a startup script then, but a logon script.
Look under "Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)".
The startup script will run with System rights, and it will run without a user logging on.
Use this batch file as a template; it will create a startup.log file in %Systemroot%\Temp:
>>"C:Windows\Temp\startup.log" echo Startup script started at %Date% %Time%
>>"%Systemroot%\Temp\startup.log"  echo Running as:
whoami.exe >>"%Systemroot%\Temp\startup.log"
REM Your Java command:

Open in new window

Then assign the GPO to a test computer and reboot the machine. You can check whether the script ran without logging on; in an elevated command prompt, enter type \\TestMachine\Admin$\Temp\startup.log.
0
 

Author Comment

by:qec-dpenney
ID: 38782887
Here is the odd thing ... it is setup under the Startup script ... and I assume the BAT is running at start up since the login in process really takes no time at all to load.  However, If I log as the user, Java is not removed, if I log as either the local or domain admin, Java is removed.

I will try your test BAT though and get back to you, just to make sure I didn't mess anything up.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 38782951
Are you using the script here to remove Java ??

http://community.spiceworks.com/scripts/show/1449-uninstall-java-6
0
Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

 

Author Comment

by:qec-dpenney
ID: 38782975
Yes, but just the command line.  This is my '.BAT file';

wmic product where "name like 'Java(TM) 6%%'" call uninstall /nointeractive

wmic product where "name like 'Java(TM) 7%%'" call uninstall /nointeractive

wmic product where "name like 'Java 7%%'" call uninstall /nointeractive

exit
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 38783003
Try this then; it adds some more logging:
@echo off
>>"C:Windows\Temp\startup.log" echo Startup script started at %Date% %Time%
>>"%Systemroot%\Temp\startup.log"  echo Running as:
whoami.exe >>"%Systemroot%\Temp\startup.log"
>>"C:Windows\Temp\startup.log" echo %Time% Uninstalling 'Java(TM) 6%%%%' ...
wmic product where "name like 'Java(TM) 6%%'" call uninstall /nointeractive >>"%Systemroot%\Temp\startup.log" 2>&1
>>"C:Windows\Temp\startup.log" echo %Time% Uninstalling 'Java(TM) 7%%%%' ...
wmic product where "name like 'Java(TM) 7%%'" call uninstall /nointeractive >>"%Systemroot%\Temp\startup.log" 2>&1
>>"C:Windows\Temp\startup.log" echo %Time% Uninstalling 'Java 7%%%%' ...
wmic product where "name like 'Java 7%%'" call uninstall /nointeractive >>"%Systemroot%\Temp\startup.log" 2>&1
>>"C:Windows\Temp\startup.log" echo Startup script ended at %Date% %Time%

Open in new window

0
 

Author Comment

by:qec-dpenney
ID: 38783328
It looks like it is now working.  Thanks for your help with this.  I updated my BAT file with your improved logging BAT file (didn't change any of the GPO settings though) and it looks like it is working.

I think my issue was I was expecting the GPO update to occur too quickly.  With my testing, I had to reboot 3 or 4 times in order for the update to occur, but I kept logging in as a local user (no admin rights) and eventually all Java instances disappeared.

Your logging BAT file helped me determine if it was running and if it was successful (had a couple of 1603 instances instead of 0 ... that may have been an issue as well)

Thanks for your help.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now